The potentially devastating consequences of computer "viruses" have been widely publicized. A computer virus may be viewed as a computer program which, when executed, results in the performance of not only operations expected by the user, but also unexpected, often destructive, operations built into the program. A computer virus may also be viewed as a program which, when executed, takes a part of its code and places such code in other programs to thereby infect the other programs. The virus may modify other programs within the system, set various traps in the system, alter various control programs, erase or otherwise modify files in the system, etc.
Such a virus is typically maliciously constructed to have such undesirable side effects which damage, probe or compromise the user's data in unexpected ways. Problems with computer viruses are often compounded by the fact that the virus controlling program is typically executed "implicitly" when the user accesses certain necessary data so that the user is not even aware that the destructive program is executing.
The present invention provides protection from such viruses and also from programs which execute on a system but which are not actual computer virus carriers. In this regard, a program may have an unintended, adverse impact on a computer system and/or associated data. For example, an executing program may inadvertently cause certain user data to be sent to a third party. Such a program may have been the result of a programming error or may have been intentionally designed to cause a particular problem.
Prior art operating systems are typically designed to protect data from computer users. In such systems, users are often assigned various authorities and are thereafter able to execute programs based on their associated authority. If a program is executing which exceeds the user's assigned authority, then such a system will halt execution of the program. Such prior art systems do not adequately protect computer users from computer viruses or the like.
There are security systems which protect certain "system" related files from being modified by a program. However, such systems do not typically protect a computer user from a program executing and modifying the user's own files.
The present invention is directed to providing reliable security, even when operating with complex data structures, e.g., objects, containing their own program instructions, which are transmitted among users. The present invention also provides enhanced security when processing more conventional programs, even those of questionable origin, e.g., from a computer bulletin board, without exposing system programs or data to the potentially catastrophic consequences of computer viruses or of incompetent programming.
The present method and apparatus utilizes a unique operating system design that includes a system monitor which limits the ability of a program about to be executed to the use of predefined resources (e.g., data files, disk writing capabilities etc.). The system monitor builds a data structure including a set of authorities defining that which a program is permitted to do and/or that which the program is precluded from doing.
The set of authorities and/or restrictions assigned to a program to be executed are referred to herein as "program authorization information" (or "PAI"). Once defined, the program authorization information is thereafter associated with each program to be executed to thereby delineate the types of resources and functions that the program is allowed to utilize. The PAI associated with a particular program may be assigned by a computer system owner/user or by someone who the computer system owner/user implicitly trusts.
The PAI defines the range of operations that a program may execute and/or defines those operations that a program cannot perform. The program is permitted to access what has been authorized and nothing else. In this fashion, the program may be regarded as being placed in a program capability limiting "safety box" This "safety box" is thereafter associated with the program such that whenever the system monitor runs the program, the PAI for that program is likewise loaded and monitored. When the program is to perform a function or access a resource, the associated
is monitored to confirm that the operation is within the defined program limits. If the program attempts to do anything outside the authorized limits, then the program execution is halted.
Thus, the present invention advantageously protects a user from any program to be executed. The present invention is particularly advantageous in light of current data processing practices where programs are obtained from a wide range of diverse, untrustworthy places such as computer bulletin boards or other users of unknown trustworthiness.
The present invention contemplates that the above-described PAI may be, together with the program itself (or a hash of the program), digitally signed by some entity that the user trusts. When digital signatures are used to validate the PAI, the aforementioned PAI monitoring will also involve verifying a digital signature on a PAI to ensure that it belongs to an entity trusted by the user and that it is properly authorized and that it and the associated program have not been tampered with.
The present invention contemplates the use of the hierarchical trust digital signature certification systems such as that described in the inventor's U.S. Pat. Nos. 4,868,877 and 5,005,200 which patents are hereby incorporated by reference herein. In accordance with the teachings of these patents, it is possible for a single high level authorizing entity to securely delegate the authority to authorize programs among a number of other entities and to require co-signatures at any level, thereby inhibiting the possibility of error, fraud by the authorizing agents themselves. This allows a single software validation group to service a large population, thereby substantially reducing the per capita expense to each user.
In one contemplated embodiment of the present invention, programs may be part of data objects, which are written in a high-level control language and are executed by a standardized interpreter program which executes this high-level language. In this case, part of the interpreter's task is to verify that the functions encountered in the high level logic are, in fact, permissible. If such tasks are not permissible, the interpreter then suppresses the execution of the program not authorized to perform such tasks.
Many advantages flow from the use of the present invention. For example, the present invention advantageously serves to bind limitations to programs so that it becomes impossible for covert programs or viruses to be introduced into the system. Users are protected through specifying details as to the functions that may be performed to ensure that programs which are intended for one function do not accidentally or intentionally cross-over and affect other unrelated or critical resources (so as to effect the spread of computer viruses). Through the use of the program authorization information in the manner described herein, it is possible for users to protect themselves against the programs they execute.
Administrative agents can effectively limit the scope of programs without the need to comprehend every aspect of the program's logic. Administrators can authorize and limit programs based on their intended functions and definitions to thereby reduce the dangers of program defects. In this fashion, the dangers of the distraught or mischievous programmer who might try to plant a software "time bomb" or virus can be limited.
The present invention also permits digital signatures to verify the PAI. Thus, programs can be freely and safely exchanged within a large population, where all members trust the common high-level signing authority.
Even programs with no known trustworthiness can be used after program authorization information associates a wide range of restrictions to thereby allow potentially beneficial programs to be safely used--even if they do not have an official certification of trust.
The present invention also allows an unlimited number of different resources and functions to be controlled. For example, some useful resources/functions which may be controlled include: the ability to limit a program to certain files or data sets; the ability to transmit data via electronic mail to someone outside the user's domain; the ability of a program to create or solicit digital signatures; the ability to limit access to a program of certain security classes, etc.
The present invention also provides the ability to limit whether a program can perform digital signature operations and limit how such signatures must be performed. In many cases, when a program is involved in soliciting a digital signature from a user, it is up to the program to make the user aware of the data to which the signature is being applied. Such is likely to be the case with electronic data interchange (EDI) transactions. In this case, it is conceivable for a mischievous application program to show the user one set of data and yet feed another set of data for signature. In this case, the program has tricked the user into digitally signing totally different information than that which the user has been led to believe. The present invention provides a mechanism which protects the user from programs which solicit digital signatures.
Through the use of the present invention, general object oriented data may be transferred from user to user without exposing users to the potential dangers of viruses or mischievous users.